The Privacy Rights Clearinghouse (PRC)1, along with readability expert Mark Hochhauser, Ph.D., is writing to call your attention to a recent survey of online pharmacies, and, in particular, the failure of most sites to post a HIPAA Privacy Notice. Please consider this letter to be a complaint.

This study, conducted by respected readability consultant Mark Hochhauser2, Ph.D., and the Privacy Rights Clearinghouse comes to an alarming conclusion: A majority of the online pharmacies examined fail to comply with HIPAA's requirement that covered entities give individuals adequate notice of their privacy practices and procedures, as specified in §164.520 of the Privacy Rule. The study is available at the PRC web site, http://www.privacyrights.org/ar/PharmacyPrivacy.htm[2].

In conducting this survey, Dr. Hochhauser visited 50 online pharmacy web sites. Of the 50, only 11 sites (22%) included a HIPAA Privacy Notice. The 11 sites that had a HIPAA privacy notice also posted a web site privacy policy.

An additional 17 online pharmacies had privacy policies, indicating that 56% of the total sites surveyed posted a privacy policy. In other words, 44% of the sites, or 22 online pharmacies, had neither a web site privacy policy nor a HIPAA policy. Only four of the 50 sites studied (8%) were certified by VIPPS (Verified Internet Pharmacy Practice Sites) through the National Association of Boards of Pharmacy. As the study shows, having VIPPS certification does not ensure compliance with the HIPAA notice requirement.

The HIPAA Privacy Rule (§164.520) requires health care providers to give individuals adequate notice of uses and disclosures of protected health information. As defined by HIPAA, health care means "care, services, or supplies related to the health of an individual." including "sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription. (§160.103(2)).

The Privacy Rule makes no exception for pharmacies or other covered entities that transmit protected health information electronically. In fact, HHS guidance even recognizes the new era of electronic services by allowing a covered entity to obtain an individual's acknowledgement of having received the privacy notice electronically.

Online pharmacies are no less obligated than their brick and mortar counterparts to give individuals the required privacy notice. Although 56% of the online pharmacies surveyed included a website privacy notice, this does not comply with the very specific privacy notice required by HIPAA.

Online pharmacies that fail to give a HIPAA privacy notice deny individuals of the fundamental rights guaranteed by the Privacy Rule. Specifically, individuals who fill prescriptions through an online pharmacy are entitled to notice, among other things, of their right to:

Obtain copies of their medical records.

Restrict the use of medical information.

Request an amendment of medical records.

Request an accounting of medical information.

Receive notice of how to complain to a covered entity and to the Secretary of HHS.

We urge the OCR to investigate online pharmacies and to take the necessary action to ensure that online pharmacies, like any other covered entity, comply with the HIPAA privacy notice requirements.

2 Dr. Hochhauser has published many articles and studies on readability. He has served a consultant to state insurance agencies as well as the Department of Health and Human Services. As part of his consulting work with HHS, Dr. Hochhauser studied and reported on the readability of privacy notices mandated by the privacy regulations issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Dr. Hochhauser's report, titled Compliance vs. Communication, is reprinted on the PRC web site with the permission of the original publisher, Claritywww.privacyrights.org/ar/HIPAA-Reading.htm[6]